Security Theater – Page 6 – A Geek With Guns

Focusing On Softer Targets

In regards to the Office of Personnel Management (OPM) breach I noted that the federal government’s networks are only as secure as the weakest link. While it’s likely federal agencies such as the Department of Defense (DoD) and National Security Agency (NSA) have much more secure networks than the OPM or Internal Revenue Service (IRS) the fact that all these federal agencies share data amongst each other means an attack only needs to breach the weakest network. Apparently that’s what China has been doing:

WASHINGTON — After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies.

Law enforcement and cybersecurity analysts in March detected intrusions on the computer networks of the Government Printing Office and the Government Accountability Office, senior American officials said this week.

It’s a smart move. Just as much valuable information can be gleamed from lesser known agencies as more famous agencies. The fact is federal agencies have so much data on both individuals and government operations that they’re all prime targets. Herein again lies the fallacy of the “nothing to hide” crowd. They believe the only eyes that will be looking at the data the federal government has collected on them is the federal government. Truth be told other eyes such as foreign governments and malicious hackers will also be looking at their data.

The reason it’s important to keep as much data away from the federal government as possible is not just because of what the federal government will do with it but also because of the likelihood it will lose control of that data in the future.

For $549 You Can’t Own A Gun Detection System That Can’t Detect Guns

I’m not sure what to think about this one. GunDetect is being marketed as a camera that can detect when somebody is carrying a gun. Based on what has been published so far I’m not sure if this is meant to be a legitimate product or a really clever troll.

The first problem regarding GunDetect is technical. Namely what the device isn’t capable of doing:

There’s a question as to how effective this will be as a first line of defense, though. The makers say that their system is accurate “90% of the time” in instances where a gun is clearly visible. That sounds good, but that leaves a lot of room for misses. What happens if nogoodniks are smart enough to conceal their weapons? Also, night vision support isn’t in these existing models — for now, you can forget about spotting thieves in the middle of the night. The technology could easily be useful as an extra layer of gun safety or security, but it won’t replace a good home security system or vigilant parenting.

There’s only 90% chance that the device will successfully detect and gun and then only if the gun is being carried openly and there’s enough light. In other words this device is pretty much worthless at determining whether the person who broke into your home at oh dark thirty is armed or not. But the problems with this product don’t stop there. If you want access to this remarkably limited device you’ll have to spend some major dough. Since it’s 2015 this product has a Kickstarter page. On it you’ll notice two models being offered:

GunDetect comes in two versions, both of which are based on the latest computer-vision algorithms and optical sensing hardware. The difference is the location for the massive amount of number-crunching required to reliably detect a gun in an image.

GunDetect Premium is our main product and does all its vision processing locally using a powerful computing system that does not need to send any video data to the Internet – giving you the peace of mind knowing your private video never leaves the premises.

GunDetect Cloud has less local processing and uses our Internet servers to help crunch encrypted video data – potentially taking longer to detect a gun than GunDetect Premium.

Getting a GunDetect Premium requires throwing $549.00 at the Kickstarter. GunDetect Cloud starts at $349.00 but that only includes a one-year subscription to the service. What a bunch of stingy bastards! The Premium line seems like the only sane way to go since it doesn’t require working Internet service to function, doesn’t upload a constant video feed of your home to a third-party server, and doesn’t involve a yearly $100.00 (I shit you not, the reward tier for an additional year is $100.00) subscription. But for that price you could invest in an actual gun that would at least give you a means of defending yourself against an armed invader.

I don’t think technology able to detect whether is somebody armed is necessarily a bad thing. It could serve as an additional layer of defense for a home or office. However such a device can only be considered effective if it can detect both open and concealed weapons as well as function independently of an external server and not be dependent on environmental factors such as light availability. A weapon detection system that can’t detect conceal weapons is pretty worthless. If somebody is carrying a weapon I can see that already, I don’t need an expensive camera to confirm what my eyes are showing me. Any system that depends on an external server is rendered worthless if the Internet goes out, which can happy for any number of reasons including a burglar cutting your Internet line or the power going out. And what good is a weapon detection system that is unable to detect whether the person who kicked in my door in the middle of the night is armed? That’s the situation where I would most want to know whether somebody is armed or not.

Nothing about this product impresses me. It has technical weaknesses that make it ineffective at detecting weapons, the subscription service for the Cloud model is expensive, the price of the standalone Premium model is very expensive, and the Cloud model creates some serious privacy concerns. Judging by the number of backers so far I’m not the only one who sees this product as a nonstarter. If this is meant to be a legitimate product it would behoove the developers to return to the drawing board and sort these problems out before begging the Internet for money. If this is meant to be a clever troll I must tip my hat to them.

Federal Government Demonstrates How Not To Do HTTPS

I admit that setting up Hypertext Transfer Protocol Secure (HTTPS) isn’t as easy as it should be. But there’s no reason why something a massive as the federal government, especially when you consider the fact that it can steal as much money as it wants, can’t properly setup HTTPS. But it can’t.

I use HTTPS Everywhere to force as many sites as humanly possible over HTTPS instead of HTTP. Usually this works very well but sometimes a site isn’t properly setup and my user experience goes south. The Senate website is one of the sites that provides a suboptimal user experience. Take a look at these two exceptions I received when trying to access information on the Senate’s website:

The thing to note is that the web server is setup to give each senator their own subdomain. This requires the certificate to contain each individual subdomain. As you can see by the errors I received the certificate doesn’t contain the subdomain for the Committee of the Judiciary or Rand Paul. There are two things to take away from this.

First, the Senate’s web server is setup in a very fragile way. Instead of creating a separate subdomain for each senator it would have been much smarter to create a separate subdirectory for each senator. The only difference that would make for the user is they would have to type https://www.senate.gov/paul instead of https://www.paul.senate.gov. Since no subdomains would be needed the certificate wouldn’t have to contain the name of every senator and Senate committee.

Second, whoever is in charge of maintaining the certificate for the Senate’s web server is incompetent. Since each senator has a separate subdomain the certificate should be renewed after every election with the subdomains of the new senators added and the subdomains of the old senators removed. Likewise, the certificate should be renewed every time a new Senate committee is created or an old one is retired. That would allow users to securely connect to each Senator’s website.

In all likelihood this setup is the result of the server originally being created without any consideration given to security. When security became a concern the system was probably patched in the all too common “good enough for government work” manner instead of being redesigned properly to reflect the new requirements. And since there is almost no accountability for government employees nobody tasked with maintaining the server probably saw fit to periodically verify that the certificate is valid for every available subdomain.

I would argue that this is yet another example of the government’s poor security practice that should have everybody worried about the data it collects.

The Deplorable State Of The Government’s Network Security

“I’ve got nothing to hide,” is a phrase commonly spoken by supporters of government surveillance and those too apathetic to protect themselves against it. It’s a phrase only spoken by the ignorant. With each working professional committing an average of three felonies a day there are no grounds for anybody to claim they have nothing to hide from the government. But even those who don’t believe they have anything to hide from the government likely feel as though they have something to hide from the general public. With the breach of the Office of Personnel Management’s (OPM) network we were shown another important fact: the government’s network security is in such a poor state that any data it collects could be leaked to the general public.

Now we’re learning that the OPM wasn’t the only government agency with deplorable network security. It’s a chronic problem within the government:

Under a 2002 law, federal agencies are supposed to meet a minimum set of information security standards and have annual audits of their cybersecurity practices. OPM’s reviews showed years of problems.

But the issue is far more widespread than with just one agency. According to the Government Accountability Office, 19 of 24 major agencies have declared cybersecurity a “significant deficiency” or a “material weakness.” Problems range from a need for better oversight of information technology contractors to improving how agencies respond to breaches of personal information, according to GAO.

“Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information will be at an increased risk of compromise from cyber-based attacks and other threats,” the watchdog agency said in a report earlier this month.

A large majority of major agencies have declare their network security to be unfit. In addition to general network security there are also concerns about overseeing contractors; which is pretty legitimate after Edward Snowden, an at the time contractor, walked off with a lot of National Security Agency (NSA) secrets; and abilities to respond to breaches.

Many mass surveillance apologists have pointed out that the OPM isn’t exactly the NSA because they assume the latter has far better security. As I mentioned above, Edward Snowden proved otherwise. And even if some agencies do have effect network security the problem of inter-agency sharing is a real concern. Assume the Internal Revenue Service (IRS) actually has adequate network security but it shares information with the OPM. In the end the data held by the IRS is still acquired by malicious hackers because they were able to compromise an agency that also held the data. Security is only as strong as the weakest link.

The next time somebody claims they have nothing to hide from the government ask them to post all of their personal information to Pastebin. If they’re not willing to do that then they should be concerned about government surveillance considering the state of its networks.

Hacking Team Changes Its Tune In Desperate Attempt To Remain Relevant

Last week Hacking Team made a big deal about terrorists having access to its advanced technology. This week everything is different. Hacking Team wants the world to know that the technology that was obtained from its internal network is old and crappy and no big deal:

On Monday, Hacking Team released a statement saying that while some of its surveillance-related source code was released to the public, the firm still retains an edge. “Important elements of our source code were not compromised in this attack and remain undisclosed and protected,” the release said. “We have already isolated our internal systems so that additional data cannot be exfiltrated outside Hacking Team. A totally new internal infrastructure is being build [sic] at this moment to keep our data safe.”

Hacking Team must work very fast if it was able to discover all new exploits between last week and today that allows it to regain its edge as a top purveyor of surveillance software to countries that regularly commit atrocities. At best the company is literally making up bullshit, which wouldn’t be the first time considering how often it denied doing business with many of the countries it was doing business with, or at worst has been able to buy a slew of new zero-day exploits. Either way I doubt the damage against Hacking Team’s brand can be undone. Being a malware seller that was breached is one thing but being a malware seller that has demonstrably shitty internal security practices isn’t likely to put its customers’ minds at ease.

My highest hope is that Hacking Team goes bankrupt and its top brass are raked through the coals.

If A Law Is Passed And Nobody Can Enforce It Is It Still A Law

Online harassment, often called cyber-bullying by legal marketing teams, has become a very hot topic in the last couple of years. More people are seeing first hand how ruthless denizens of the Internet can be and are demanding something be done. Governments around the world are acknowledging this issue and addressing it in the only way they know how, issuing decrees. New Zealand has lead the charge by passing a law making online harassment illegal:

The Harmful Digital Communications Bill passed its third and final reading last night.

[…]

The bill’s key elements:

Harmful Digital Communications Bill: key provisions

A fine of up to $50,000 for an individual or up to $200,000 for a body corporate, or up to two years’ jail for posting or sending a “harmful digital communication” – aka cyber-bullying with a post likely to cause distress. The bill covers racist, sexist and religiously intolerant comments, plus those about disabilities or sexual orientation;

Up to three years’ jail for the new crime of incitement to suicide;

An “approved agency” will advocate on behalf of complainants. The aim is that the agency will be able to make direct contact with web publishers and social media sites like Facebook and Twitter, where a member of the public often has trouble getting heard (the Law Commission has recommended NetSafe be the approved agency; the non-profit NetSafe’s backers include InternetNZ, the NZPolice, the Ministry of Education and private companies);

If the approved agency makes no headway, a complaint is escalated to a District Court judge; and

Web publishers can opt in to a safe-harbour provision, protecting them from liability (and arguably also crimping free speech) if they agree to take down allegedly offending material on demand or at least within a grace period of 48 hours.

When used outside of legal circles the word law implies something that, as far as we know, cannot be violated. The laws of physicals, for example, state that the speed of light cannot be exceeded. That leads me to ask an important question, if nobody can enforce a law is it still a law?

If you read through this bill you’ll quickly realize that it puts the legal burden on the content host. In order to avoid being held liable for user content the host must agree to remove reported content within 48 hours of notifying the author if the author doesn’t submit a counter-notice within the same span of time. Anybody who has worked in a sizable company knows that the default position of the legal department is always on the safe side. That being the case this bill will likely convince companies to pull down any reported content with little or no investigation. So this bill, on the surface, appears to solve the problem by ensuring companies are motivated to remove harassing content (and, as a more concerning aside, could end up being a tool useful for general censorship as well if companies remove content without actually investigating it).

But deleting content doesn’t actually solve the problem of online harassment. Content is easy to create and post. If something harassing is deleted it can simply be posted again. Even if the account of the person posting offending content is shutdown it’s a simple matter on most sites to create a new account. And if there’s a specific person being targeted by numerous individuals, such as the people targeted by GamerGate, it quickly becomes infeasible to shutdown accounts faster than they’re created. A handful of administrators charged with reviewing complaints and closing offending accounts is no match for hundreds or thousands of individuals dedicated to posting harassing content. Therefore I would argue this bill isn’t a law because it can be easily bypassed by online harassers.

I’m not a fan of complaining about a proposed solution without offering one of my own. To that end I want to diverge from the topic of whether or not this is a law and focus on what is actually needed to counter online harassers. Dealing with the issue of online harassment means focusing on the harassers, not the content hosts. But siccing law enforcers after individuals who have effective tools to anonymize themselves (as with any technology, tools that anonymize people can be used for good and bad) is also infeasible. How, for example, can law enforcement agents pursue an Internet protocol (IP) address, which is the only identifiable information content hosts may have access to, of a Tor exit relay or a virtual private network (VPN) provider in a foreign country? Even if the IP address can be traced back to an entity law enforcers can go after how can they verify the owner even knew their network was being used for online harassment? A depressingly large number of people have no idea how to secure their wireless access points and many businesses that offer wireless access to customers do so with open networks because the logistics involved in doing the same with a secure network is too complex for them.

So the question becomes, what can be done to counter online harassment? Back when malicious hackers acquired login credentials for several celebrities’ iCloud accounts I said a counter-hacker initiative was needed and I believe such a tactic could be applicable here as well. Groups dedicated to countering online harassers could raise the costs of harassing people online, which is nearly zero at the moment. The key, in my opinion, is having people dedicated to the task (in other words, like any private security group, paid for their services so they can focus on providing them) that aren’t restricted by state decrees and have the motivation law enforcers lack.

Is this the only solution? Hardly. It’s just one that I can think of. Would this solution work? I believe so but I can’t say for certain. What I do know is finding a solution to online harassment, as with finding a solution to any problem, requires markets. The creativity of the world has to be tapped to find a way to effectively address this problem because the creativity of the world is currently being tapped to create this problem. Relying on a handful of individuals to write unenforceable words on pieces of paper isn’t going to accomplish anything.

TSA: Protecting You from Terrorists Five Percent of the Time

The Transportation Security Agency (TSA) was established shortly after the 9/11 attacks to provide better airplane security. At least that’s the official story. So far the TSA has proven to be incredibly incompetent at its job. Wannabe terrorists have managed to get explosives on board airplanes by hiding them in underwear and shoes. Fortunately the bombs failed to go off but not because of anything the TSA did. However even I never expected a failure rate this absurdly high:

A recent internal investigation by the Department of Homeland Security has found security failures at dozens of the nations’ busiest airports—breaches that allowed undercover investigators to smuggle weapons, fake explosives and other contraband through numerous checkpoints.

In one case, an alarm sounded, but even during a pat down, the screening officer failed to detect a fake plastic explosive taped to an undercover agent’s back. In all, so-called “Red Teams” of Homeland Security agents posing as passengers were able get weapons past Transportation Security Administration agents in 67 out of 70 tests — a 95 percent failure rate, according to agency officials.

A 95 percent failure rage? From a glass is half full perspective I guess the TSA will protect us from an average of five percent of terrorist attacks though!

Only a government agency could demonstrate this level of incompetence and still exist. Failing to fulfill your mandate 95 percent of the time requires shielding from liability that only the state can offer. Imagine hiring a private security guard who only stopped five percent of shoplifters. You’d toss his ass out in a second and maybe hire an investigator to see whether that guard was colluding with the shoplifters since that level of failure almost necessitates him being in on the scam.

The big question is what will come of this. My prediction is a whole lot of nothing. A few senators will use the investigation’s findings to do a big of grandstanding, the higher echelons of the TSA will get shuffled around a bit, and nothing noteworthy will change. I’m sure there will be several congressional grillings of high level TSA officials where we’ll hear excuses about lack of funding, inability to force people to go through body scanners (I’m sure the TSA would love to eliminate opt-outs), and agents not having full enforcement powers (TSA agents can’t arrest you and this really pisses many of them off). The congress critters doing the grillings will likely yell loudly, make some snide remarks, and little else. Air travelers will likely find themselves subjected to more draconian police state nonsense in the name of safety.

On the upside if you want to carry a firearm on board to protect yourself there’s a 95 percent chance you won’t get caught. Every storm cloud has its silver lining, I guess.

United States Government Looking to Repeat Security Blunder

As we’re recovering from two vulnerabilities caused by old export restrictions on strong cryptography tools the United States government is looking to repeat that failure:

The U.S. Commerce Department has proposed tighter export rules for computer security tools, a potentially controversial revision to an international agreement aimed at controlling weapons technology.

On Wednesday, the department published a proposal in the Federal Register and opened a two-month comment period.

The changes are proposed to the Wassenaar Arrangement, an international agreement reached in 1995, aimed at limiting the spread of “dual use” technologies that could be used for harm.

Forty-one countries participate in the Wassenaar Arrangement, and lists of controlled items are revised annually.

The Commerce Department’s Bureau of Industry and Security (BIS) is proposing requiring a license in order to export certain cybersecurity tools used for penetrating systems and analyzing network communications.

Another great example of the state making the same mistake, only harder. Restricting the export of strong cryptographic tools put everybody at risk of attack and an export restriction against penetration testing tools would put everybody at risk of missing basic vulnerabilities in their networks.

Penetration testing tools, like any technology, can be used for good and bad. If you properly utilize the tools on your network you can discover vulnerabilities that are exploited by those tools and patch them. Not utilizing these tools allows an malicious actor to exploit your network using those tools. Any restriction on exporting these tools will leave networks vulnerable to them.

Why would the United States government propose implementing restrictions that put the entire world at risk? Most likely it’s because government agencies utilize penetration testing tools to exploit networks and would therefore gain considerably by making defending against them more difficult. This proposal shows just how self-centered the state really is because it’s willing to put billions of people at risk just to make its task of exploiting networks a little easier. Its narcissism is so bad that it doesn’t even care that this restriction would also make every network more vulnerable to exploitation by its enemies (if the United States can hack your network then foreign countries such as North Korea can as well).

Fortunately we learned what happens when restrictions are placed on ideas during the crypto wars. Even though the United States restricted the export of strong cryptographic algorithms the knowledge spread quickly. It’s pretty hard to restrict something that can literally be printed on a t-shirt, especially when you have a worldwide network that specializes in information sharing. If this restriction is put into place it will be entirely ineffective at everything but giving the state justification to put several very intelligent people in a cage for the crime of making our networks safer.

Using Copyright Laws to Push Independent Mechanics Out of the Market

You have two options when your out of warranty vehicle needs repairs. Option one is to spend a small fortune taking your vehicle to the certified dealer and having their mechanics fix it. The other option is to spend far less money and either repair it yourself or take it to an independent mechanic. Because automobile manufacturers make tons of money off repairing the vehicles they sell they have a direct interest in locking out independent mechanics (both professional and hobbyists).

It’s difficult to lock people out of purely mechanical devices. Any part on a car can be fabricated with enough machining tools and many people rely on this fact to restore old vehicles. But computer technology is offering automobile manufacturers an option to legally lock out independent mechanics through copyright law:

Allowing them to continue to fix their cars has become “legally problematic,” according to a written statement from the Auto Alliance, the main lobbying arm of automakers.

The dispute arises from a section of the Digital Millennium Copyright Act that no one thought could apply to vehicles when it was signed into law in 1998. But now, in an era where cars are rolling computing platforms, the U.S. Copyright Office is examining whether provisions of the law that protect intellectual property should prohibit people from modifying and tuning their cars.

[…]

In comments submitted so far, automakers have expressed concern that allowing outsiders to access electronic control units that run critical vehicle functions like steering, throttle inputs and braking “leads to an imbalance by which the negative consequences far outweigh any suggested benefits,” according to the Alliance of Global Automakers. In the worst cases, the organizations said an exemption for enthusiasts “leads to disastrous consequences.”

If automobile manufacturers are allowed to charge people who modify a vehicle’s electronics it opens the door for locking independent mechanics out of the automobile repair business. All it would take is including some rudimentary electronics on every major component of a vehicle (which often exist already) and require it to receive the proper digital signature from the on-board computer to operate. Then, in order for the vehicle to start, the manufacturer can set a requirement that each part must transmit the proper digital signature to the on-board computer. If any part or the on-board computer fails to provide the proper digital signature the car can simply refuse to start (for security purposes, of course).

By holding the private keys to create the correct digital signatures an automobile manufacturer could tightly control who can and cannot create parts for their vehicles. It could also control who it is willing to supply parts to. Right now investing so much money into implementing such a scheme is pointless because there’s no recourse for manufacturers to take against those who modify the electronics. That would change quickly if they could charge anybody who modifies the electronics of a vehicle under the Digital Millennium Copyright Act. Then they could get the state to go after anybody who modifies a vehicle’s electronics for them. Anybody who modifies the electronics on a vehicle would then face serious cage time and fines at little cost to the manufacturer.

Touching Your Junk for Freedom

What’s to prevent sexual predators from getting a job with the Transportation Security Administration (TSA) so they can feel up people? Not a damn thing as people flying through the Denver International Airport found out firsthand:

DENVER (CBS4) – A CBS4 investigation has learned that two Transportation Security Administration screeners at Denver International Airport have been fired after they were discovered manipulating passenger screening systems to allow a male TSA employee to fondle the genital areas of attractive male passengers.

It happened roughly a dozen times, according to information gathered by CBS4.

According to law enforcement reports obtained during the CBS4 investigation, a male TSA screener told a female colleague in 2014 that he “gropes” male passengers who come through the screening area at DIA.

“He related that when a male he finds attractive comes to be screened by the scanning machine he will alert another TSA screener to indicate to the scanning computer that the party being screened is a female. When the screener does this, the scanning machine will indicate an anomaly in the genital area and this allows (the male TSA screener) to conduct a pat-down search of that area.”

A major problem with a state is that it reserves for itself the right to violate anybody at any time. This is the nasty habit of attracting people who want to violate other human beings. Because of this you get enforcement agencies packed with people most would consider undesirable.

Compounding that problem is the problem of monopoly. When the state declares a monopoly on something and its power is used to violate people there are no alternatives. In the case of the TSA the only alternative to getting sexually assaulted by a TSA agent is not to fly since the state has granted itself a monopoly on airplane security.

Making matters even worse is that the state usually shields its agents from liability (which it can do because it has granted itself a monopoly on legal matters). Nobody was arrested or charged over this incident. Two TSA agents were fired and the Denver District Attorney’s Office decided not to file charges:

Earlier this month a prosecutor from the Denver District Attorney’s Office was asked to review the case but she declined to press charges because there was no reasonable likelihood of conviction and no victim had been identified.

I hope you continue to enjoy living in the freest goddamn country on Earth!